Even as questions continue to swirl around the role of the BlackEnergy malware family in the widespread power outage in Ukraine on December 23, there are signs the same toolkit is being used in attacks against industrial control systems in other sectors as well.
Security vendor Trend Micro says new intelligence shows that whoever was behind the power grid attacks also may have attempted similar attacks against a large railway operator and a mining company in the Ukraine. An inspection of telemetry data obtained from the open source intelligence community shows that BlackEnergy and its integrated KillDisk component for erasing hard disks were used in both attacks.
The BlackEnergy and KillDisk infrastructure used in the attacks on the mining and rail transportation firms was the same as the one used to launch the December attacks on Ukraine power distributor Prykarpattya Oblenergo that resulted in 30 substations getting knocked off the grid, according to Trend's findings. More than 100 cities suffered a total blackout while dozens of others experienced a partial power disruption as a result of that attack.
“Based on our research, we can say we believe that the same actors are likely involved in some regard to these two victims and to those behind the Ukrainian power utility attack," Trend Micro senior security researcher Kyle Wilhoit said in a blog post. The remarkable overlap between the malware used in the attacks, the naming conventions, the infrastructure, and the timing of the attacks hint strongly at a connection between the three campaigns, he concluded.
The attacks suggest that the attackers are either seeking to use cyberattacks to cause massive and persistent disruption to Ukraine power, transportation, and mining infrastructure. Or the attackers could be deploying the malware on different critical infrastructure targets in Ukraine to try and figure out the most vulnerable ones, he said.
The hacking of industrial control systems at the railway and mining companies in Ukraine, if true, represent a troubling expansion of the BlackEnergy campaign, says Dean Weber, chief cyber architect at Mission Secure Inc., which specializes in control systems security.
The attack on Ukraine’s power grid represents the first time since Stuxnet degraded Iran’s uranium processing capability in 2010 that a cyberattack has been used to cause a physical outcome, he says.
To pull it off, the attackers basically appear to have compromised a human-machine interface (HMI) system at Prykarpattya Oblenergo and used the access to instruct the underlying industrial control system to open a series of circuit breakers causing power to be shut down in multiple areas, Weber says. Some have attributed the attack to a Russian hacking group dubbed the Sandworm team, which has been associated with BlackEnergy related attacks on energy companies in the US and Europe for years, he notes.
Though an inspection of the compromised system at the Ukraine power distributor revealed the presence of BlackEnergy 3 and KillDisk, security researchers are not entirely sure what role the malware played in actually leading to the switches being thrown open.
['KillDisk' and BlackEnergy were not the culprits behind the power outage -- there's still a missing link in the chain of attack. Read More Signs Point To Cyberattack Behind Ukraine Power Outage.]
BlackEnergy has been floating around since 2011 and was originally used to collect information from industrial control systems. The US ICS-CERT -- which yesterday issued a new YARA signature for detecting BlackEnergy -- recently confirmed that several US organizations have reported infections on Windows-based human-machine interface systems (HMI) that are used to interact with back-end industrial control systems.
ICS-CERT has not identified instances where BlackEnergy has been used to damage or modify control processes on a victim system, or if the malware operators used it to expand their access beyond the compromised HMI. The CERT also has noted in its analysis of the attack on the Ukraine power grids that a version of BlackEnergy 3 with the KillDisk utility was indeed present on the system that was compromised.
“Everybody should be up at night about this,” MSi's Weber says. “Everything that relies on an industrial control system, whether it be an oil and gas facility, a pipeline, a ship or a power generator, are run by HMIs,” and such an attack shows how they could be compromised.